Attachment 56 Details for Bug 188 – Second version of previous patch - also disables password aging in password userauth

[patch] Second version of previous patch - also disables password aging in password userauth

openssh-kbdint-pam.patch2 (text/plain), 5.07 KB, created by Nicolas Williams on 2002-03-28 07:27:45 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Nicolas Williams

Created: 2002-03-28 07:27:45 AEDT

Size: 5.07 KB

patch

obsolete

>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/session.c
>--- 3_0_2p1_w_gssk5_ubsw_devl.32/session.c Thu, 10 Jan 2002 14:22:14 -0500
>+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/session.c Wed, 27 Mar 2002 14:58:16 -0500
>@@ -734,17 +734,6 @@
> 	    get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),
> 	    (struct sockaddr *)&from);
> 
>-#ifdef USE_PAM
>-	/*
>-	 * If password change is needed, do it now.
>-	 * This needs to occur before the ~/.hushlogin check.
>-	 */
>-	if (is_pam_password_change_required()) {
>-		print_pam_messages();
>-		do_pam_chauthtok();
>-	}
>-#endif
>-
> 	if (check_quietlogin(s, command))
> 		return;
> 
>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth2-pam.c
>--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth2-pam.c Wed, 21 Nov 2001 10:38:46 -0500
>+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/auth2-pam.c Wed, 27 Mar 2002 10:28:30 -0500
>@@ -42,7 +42,7 @@
> 
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
> 	    &input_userauth_info_response_pam);
>-	retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>+	retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
> 
> 	return retval;
>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.h
>--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.h Thu, 10 Jan 2002 14:22:14 -0500
>+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/auth-pam.h Wed, 27 Mar 2002 14:58:54 -0500
>@@ -9,13 +9,12 @@
> void finish_pam(void);
> int auth_pam_password(struct passwd *pw, const char *password);
> char **fetch_pam_environment(void);
>-int do_pam_authenticate(int flags);
>+int do_pam_authenticate(int flags, int can_age_pw_here);
> int do_pam_account(char *username, char *remote_user);
> void do_pam_session(char *username, const char *ttyname);
> void do_pam_setcred(int init);
> void print_pam_messages(void);
> int is_pam_password_change_required(void);
>-void do_pam_chauthtok(void);
> void do_pam_set_conv(struct pam_conv *);
> int do_pam_putenv(char *, char *);
> void message_cat(char **p, const char *a);
>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.c
>--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.c Thu, 10 Jan 2002 14:22:14 -0500
>+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/auth-pam.c Wed, 27 Mar 2002 15:11:42 -0500
>@@ -58,6 +58,7 @@
> static int password_change_required = 0;
> /* remember whether the last pam_authenticate() succeeded or not */
> static int was_authenticated = 0;
>+static int acct_mgmt_retval = -1;
> 
> /* Remember what has been initialised */
> static int session_opened = 0;
>@@ -71,10 +72,40 @@
> }
> 
> /* start an authentication run */
>-int do_pam_authenticate(int flags)
>+int do_pam_authenticate(int flags, int can_age_pw_here)
> {
> 	int retval = pam_authenticate(__pamh, flags);
>+
>+	was_authenticated = (retval == PAM_SUCCESS);
>+	if (retval != PAM_SUCCESS)
>+		return retval;
>+
>+	acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
>+
>+	if (acct_mgmt_retval == PAM_SUCCESS)
>+		return PAM_SUCCESS;
>+
>+	was_authenticated = 0;
>+	if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
>+		return acct_mgmt_retval;
>+
>+	/* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
>+	/* PAM auth token (password) is expired */
>+
>+	/*
>+	 * USERAUTH_PASSWORD_CHANGEREQ is not currently
>+	 * supported. Password aged users using password
>+	 * userauth are thrown out here.
>+	 */
>+	if (!can_age_pw_here)
>+		return PAM_NEW_AUTHTOK_REQD;
>+
>+	debug("do_pam_authenticate() - doing password aging");
>+	retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
> 	was_authenticated = (retval == PAM_SUCCESS);
>+	if (retval == PAM_SUCCESS)
>+		acct_mgmt_retval = PAM_SUCCESS;
>+
> 	return retval;
> }
> 
>@@ -218,7 +249,8 @@
> 
> 	pamstate = INITIAL_LOGIN;
> 	pam_retval = do_pam_authenticate(
>-	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
>+	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
>+	    0);
> 	if (pam_retval == PAM_SUCCESS) {
> 		debug("PAM Password authentication accepted for "
> 		    "user \"%.100s\"", pw->pw_name);
>@@ -246,7 +278,11 @@
> 			    PAM_STRERROR(__pamh, pam_retval));
> 	}
> 
>-	pam_retval = pam_acct_mgmt(__pamh, 0);
>+	/* do_pam_authenticate() may have called pam_acct_mgmt() already */
>+	pam_retval = acct_mgmt_retval;
>+	if (pam_retval == -1)
>+		pam_retval = pam_acct_mgmt(__pamh, 0);
>+
> 	switch (pam_retval) {
> 		case PAM_SUCCESS:
> 			/* This is what we want */
>@@ -255,6 +291,7 @@
> 			message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
> 			/* flag that password change is necessary */
> 			password_change_required = 1;
>+			return(0); /* Sorry, no TTY password aging */
> 			break;
> 		default:
> 			log("PAM rejected by account configuration[%d]: "
>@@ -314,27 +351,6 @@
> int is_pam_password_change_required(void)
> {
> 	return password_change_required;
>-}
>-
>-/*
>- * Have user change authentication token if pam_acct_mgmt() indicated
>- * it was expired.  This needs to be called after an interactive
>- * session is established and the user's pty is connected to
>- * stdin/stout/stderr.
>- */
>-void do_pam_chauthtok(void)
>-{
>-	int pam_retval;
>-
>-	do_pam_set_conv(&conv);
>-
>-	if (password_change_required) {
>-		pamstate = OTHER;
>-		pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
>-		if (pam_retval != PAM_SUCCESS)
>-			fatal("PAM pam_chauthtok failed[%d]: %.200s",
>-			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
>-	}
> }
> 
> /* Cleanly shutdown PAM */

Actions: View | Diff

Attachments on bug 188: 55 | 56